The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Server computers may provide users with content through one or more client devices. The content may include social data, such as who knows whom, or personal financial information from a bank.
A malicious user may use software, often referred to as a “bot”, which imitates a client computer, or an application executed by the client computer, by receiving instructions from a web server and generating requests based on those instructions. For convenience of expression a “bot” may be software and/or hardware, such as a browser running on a desktop computer, that is configured to automatically send requests with, and/or for, data to a server computer. For example, a bot may receive a web page, and generate a request based on a link defined in the web page, as if the link was selected by a legitimate user. Also for example, a bot may generate and send a request with data assigned to one or more parameters to simulate a user submitting data to a web server through a browser.
A proactive server computer may determine that a particular client computer is a bot based on one or more patterns and/or factors, such as receiving numerous requests from a particular client computer within a short period of time. In response, the server computer may block the client computer. For example, if a web site hosting an online dictionary receives 10,000 requests for definitions of 10,000 different words in an hour from the same client computer, then the server computer may determine that the client computer is a bot, and block any future requests from that client computer.
To prevent a server computer from determining that a particular client computer is a bot, a malicious user may create a “bot-net”: a network of numerous computers distributed over a range of geographic regions, which may coordinate an attack against a server computer without causing the server computer to determine that any computer in the bot-net is a bot. Malicious users may use bot-nets to commit many types of unauthorized acts, crimes or computer fraud, such as content scraping, ratings manipulation, fake account creation, reserving rival goods attacks, ballot stuffing attacks, password snooping, web site scraping attacks, vulnerability assessments, and stack fingerprinting attacks. For purposes of illustrating a clear example, assume a bot-net includes 400 infected computers, each of which is configured to make 25 requests for definitions of 25 different words over an hour. The proactive server computer may not register any of the client computers in the bot-net as a bot, because each computer is only requesting definitions for 25 words per hour. If each computer in the bot-net makes a request for a different word, then the bot-net may collect definitions for 10,000 words combined. Each computer in the bot-net may send the definitions to a server computer controlled by the malicious user.
A web site developer or administrator may attempt to implement countermeasures to prevent attacks from bot-nets, but testing those countermeasures can be difficult or expensive. For example, a web site developer may create a bot-net by setting up hundreds of servers in data centers around the world, and writing complex software to simulate a bot-net. Doing so is expensive and time-consuming. Furthermore, malicious users create new attacks for bot-nets to perform. Writing new, often more complex software to simulate new bot-net attacks using computers in data centers around the world may be difficult and expensive.